postfix mail server infected ?
    trafdev 
    trafdev at mail.ru
       
    Sun Nov 25 18:28:02 UTC 2012
    
    
  
Hi. Can you please point me to some discussions and solutions related 
to this problem? Thanks.
On Sun Nov 25 02:43:10 2012, Kim Culhan wrote:
> On Sat, November 24, 2012 1:08 pm, trafdev wrote:
> > Hi. I've a dedicated stand-alone FreeBSD server:
> >  > uname -a
> > FreeBSD trafd-website-freebsd 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0:
> > Tue Jun 12 02:52:29 UTC 2012
> > root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
> <mailto:root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC>
> amd64
> >
> > Server has one external interface (re0) with IP 206.239.112.241 and
> > postfix service installed on 25 port.
> >
> > Yesterday I've noticed huge amount of emails sending out:
> >
> > Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37230]: connect from
> > f116.sd.com <http://f116.sd.com>[206.239.112.241]
> > Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73F7D1365D:
> > from=<wkktxh at f116.sd.com <mailto:wkktxh at f116.sd.com>>, size=1211,
> nrcpt=10 (queue active)
> > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37366]: 75ECA134F2:
> > to=<reco.motos at yahoo.com.br <mailto:reco.motos at yahoo.com.br>>,
> relay=none, delay=25715,
> > delays=25715/0.02/0/0.12, dsn=4.7.0, status=deferred (delivery
> > temporarily suspended: host mta7.am0.yahoodns.net
> <http://mta7.am0.yahoodns.net>[66.94.236.34] refused
> > to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241
> > temporarily deferred due to user complaints - 4.16.55.1; see
> > http://postmaster.yahoo.com/421-ts01.html)
> > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37368]: 794A911711:
> > to=<tayd at yahoo.com.br <mailto:tayd at yahoo.com.br>>, relay=none,
> delay=29716,
> > delays=29716/0.05/0/0.05, dsn=4.7.0, status=deferred (delivery
> > temporarily suspended: host mta7.am0.yahoodns.net
> <http://mta7.am0.yahoodns.net>[66.94.236.34] refused
> > to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241
> > temporarily deferred due to user complaints - 4.16.55.1; see
> > http://postmaster.yahoo.com/421-ts01.html)
> > Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36699]: E559512F49:
> > to=<luziarodrigues757 at terra.com.br
> <mailto:luziarodrigues757 at terra.com.br>>,
> > relay=vip-us-br-mx.terra.com
> <http://vip-us-br-mx.terra.com>[208.84.244.133]:25, delay=26077,
> > delays=26075/1/0.59/0.31, dsn=4.7.1, status=deferred (host
> > vip-us-br-mx.terra.com
> <http://vip-us-br-mx.terra.com>[208.84.244.133] said: 450 4.7.1 You've
> exceeded
> > your sending limit to this domain. (in reply to end of DATA command))
> > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37370]: 7C45D18E5D:
> > to=<a925er at yahoo.com.br <mailto:a925er at yahoo.com.br>>, relay=none,
> delay=6984,
> > delays=6984/0.02/0/0.04, dsn=4.7.0, status=deferred (delivery
> > temporarily suspended: host mta7.am0.yahoodns.net
> <http://mta7.am0.yahoodns.net>[66.94.236.34] refused
> > to talk to me: 421 4.7.0 [TS01] Messages from 206.239.112.241
> > temporarily deferred due to user complaints - 4.16.55.1; see
> > http://postmaster.yahoo.com/421-ts01.html)
> > Nov 24 00:00:37 trafd-website-freebsd postfix/qmgr[40324]: 73E8118E53:
> > from=<t9zir at f116.sd.com <mailto:t9zir at f116.sd.com>>, size=1143,
> nrcpt=10 (queue active)
> > Nov 24 00:00:37 trafd-website-freebsd postfix/smtpd[37153]: 93E1020413:
> > client=f116.sd.com <http://f116.sd.com>[206.239.112.241]
> > Nov 24 00:00:37 trafd-website-freebsd postfix/error[37367]: 74A511A5BF:
> > to=<duscherer1 at yahoo.com.br <mailto:duscherer1 at yahoo.com.br>>,
> relay=none, delay=5587,
> > delays=5587/0/0/0.18, dsn=4.7.0, status=deferred (delivery temporarily
> > suspended: host mta7.am0.yahoodns.net
> <http://mta7.am0.yahoodns.net>[66.94.236.34] refused to talk to
> > me: 421 4.7.0 [TS01] Messages from 206.239.112.241 temporarily deferred
> > due to user complaints - 4.16.55.1; see
> > http://postmaster.yahoo.com/421-ts01.html)
> > Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36698]: E7898134D0:
> > to=<gvfg at terra.com.br <mailto:gvfg at terra.com.br>>,
> relay=vip-us-br-mx.terra.com
> <http://vip-us-br-mx.terra.com>[208.84.244.133]:25,
> > conn_use=4, delay=25728, delays=25726/1.1/0.06/0.4, dsn=4.7.1,
> > status=deferred (host vip-us-br-mx.terra.com
> <http://vip-us-br-mx.terra.com>[208.84.244.133] said: 450
> > 4.7.1 You've exceeded your sending limit to this domain. (in reply to
> > end of DATA command))
> > Nov 24 00:00:37 trafd-website-freebsd postfix/smtp[36226]: 7BE421F989:
> > to=<elc.moura at bol.com.br <mailto:elc.moura at bol.com.br>>,
> relay=mx3.bol.com.br <http://mx3.bol.com.br>[200.147.36.13]:25,
> > delay=339, delays=339/0/0.49/0.24, dsn=4.7.1, status=deferred (host
> > mx3.bol.com.br <http://mx3.bol.com.br>[200.147.36.13] said: 450
> 4.7.1 <elc.moura at bol.com.br <mailto:elc.moura at bol.com.br>>:
> > Recipient address rejected: MX-BOL-04 - Too many messages, try again
> > later. (in reply to RCPT TO command))
> >
> > Where f116.sd.com <http://f116.sd.com>[206.239.112.241] is an IP and
> host assigned for
> > external interface (re0).
> >
> > Due to "permit_mynetworks" policy enabled in postfix conf mail was
> > sending out without authentication. However all externally connected
> > clients were rejected which is proper and expected behavior:
> >
> > Nov 24 19:31:04 trafd-website-freebsd postfix/smtpd[65618]: connect from
> > a2-starfury4.uol.com.br <http://a2-starfury4.uol.com.br>[200.147.33.227]
> > Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: NOQUEUE:
> > reject: RCPT from a2-starfury4.uol.com.br
> <http://a2-starfury4.uol.com.br>[200.147.33.227]: 550 5.1.1
> > <pehw at f116.sd.com <mailto:pehw at f116.sd.com>>: Recipient address
> rejected: User unknown in virtual
> > mailbox table; from=<> to=<pehw at f116.sd.com
> <mailto:pehw at f116.sd.com>> proto=ESMTP
> > helo=<mx.uol.com.br <http://mx.uol.com.br>>
> > Nov 24 19:31:05 trafd-website-freebsd postfix/smtpd[65618]: disconnect
> > from a2-starfury4.uol.com.br
> <http://a2-starfury4.uol.com.br>[200.147.33.227]
> >
> > Then, I've tried:
> >
> > $cmd 001 deny all from any to me dst-port 25 in via re0
> > $cmd 002 deny all from any to me dst-port 25 out via re0
> >
> > and cleaned local mail queue with
> > postsuper -d ALL
> >
> > This didn't changed anything - server continued to send huge amount of
> > emails.
> >
> > However restrictions on lo0:
> > $cmd 001 deny all from any to me dst-port 25 in via lo0
> > $cmd 002 deny all from any to me dst-port 25 out via lo0
> >
> > did the trick - emailing had stopped. So by fact - problem solved, but
> > the real reason wasn't not found.
> >
> > I've launched clamav and f-prot scans - nothing suspicious found.
> >
> > The main question I have - how it's possible on stand-alone dedicated
> > server - who and how is connecting on behalf of it's own ext ip and uses
> > local interface to send emails? Is this possible to do from outside, or
> > server was infected from inside?
> It appears the delivery failures are failed attempts to deliver bounce
> messages which likely are generated in response to receiving emails
> with a Delivered-To: header with the address the same as the delivery
> address.
> The email has a forged sender address where postfix tries to send the
> bounce message.
> This activity seems to be increasing and we can guess at what the
> motivation might be..
> Though its not a FreeBSD problem, there is very little discussion on
> the 'net about this and it probably causes a lot of grief for those on
> the receiving end of the bounce messages.
> Would be good if users of postfix on FreeBSD were aware of this and
> took some action.
> Google searching will find a few possibilities for that action, none I
> found were without some potential negative effects.
> Hope this helps..
> -kim
    
    
More information about the freebsd-hackers
mailing list